Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24/12/2024, 05:23
Behavioral task
behavioral1
Sample
2024-12-24_711ddbfbbd4e7e6e8d054371e3607b17_darkgate_datper_hijackloader_luca-stealer_magniber.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-12-24_711ddbfbbd4e7e6e8d054371e3607b17_darkgate_datper_hijackloader_luca-stealer_magniber.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-12-24_711ddbfbbd4e7e6e8d054371e3607b17_darkgate_datper_hijackloader_luca-stealer_magniber.exe
-
Size
17.3MB
-
MD5
711ddbfbbd4e7e6e8d054371e3607b17
-
SHA1
e12617062882aaf0dfa9dc1c64085df0e7b6082b
-
SHA256
fdc5bafb82ba9a28c76d7b94f7f80e7ca6c064f6c41e956c8f26f2a45f1f9ce6
-
SHA512
c7a84ab16085ec75209443945695f293b0333c9c17d33797afcc278c5c8fe385e1d6a8e0e057e86cbe255147506e1bb133d39377cb2a9f266e43d849fb71d099
-
SSDEEP
393216:wCcOWJfN7lAshtY7ipVK8I7zIax5RYC2xxPz0MO:ClhFKshtYGpVKbX9ixpPO
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Signatures
-
Xred family
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation ._cache_2024-12-24_711ddbfbbd4e7e6e8d054371e3607b17_darkgate_datper_hijackloader_luca-stealer_magniber.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 2024-12-24_711ddbfbbd4e7e6e8d054371e3607b17_darkgate_datper_hijackloader_luca-stealer_magniber.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Synaptics.exe -
Executes dropped EXE 4 IoCs
pid Process 4920 ._cache_2024-12-24_711ddbfbbd4e7e6e8d054371e3607b17_darkgate_datper_hijackloader_luca-stealer_magniber.exe 2912 Synaptics.exe 948 ._cache_Synaptics.exe 5028 AIToolkit.exe -
Loads dropped DLL 1 IoCs
pid Process 5028 AIToolkit.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" 2024-12-24_711ddbfbbd4e7e6e8d054371e3607b17_darkgate_datper_hijackloader_luca-stealer_magniber.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AIToolkit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-12-24_711ddbfbbd4e7e6e8d054371e3607b17_darkgate_datper_hijackloader_luca-stealer_magniber.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_2024-12-24_711ddbfbbd4e7e6e8d054371e3607b17_darkgate_datper_hijackloader_luca-stealer_magniber.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 2024-12-24_711ddbfbbd4e7e6e8d054371e3607b17_darkgate_datper_hijackloader_luca-stealer_magniber.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Synaptics.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4284 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 4284 EXCEL.EXE 4284 EXCEL.EXE 4284 EXCEL.EXE 4284 EXCEL.EXE -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 5028 AIToolkit.exe 5028 AIToolkit.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1476 wrote to memory of 4920 1476 2024-12-24_711ddbfbbd4e7e6e8d054371e3607b17_darkgate_datper_hijackloader_luca-stealer_magniber.exe 83 PID 1476 wrote to memory of 4920 1476 2024-12-24_711ddbfbbd4e7e6e8d054371e3607b17_darkgate_datper_hijackloader_luca-stealer_magniber.exe 83 PID 1476 wrote to memory of 4920 1476 2024-12-24_711ddbfbbd4e7e6e8d054371e3607b17_darkgate_datper_hijackloader_luca-stealer_magniber.exe 83 PID 1476 wrote to memory of 2912 1476 2024-12-24_711ddbfbbd4e7e6e8d054371e3607b17_darkgate_datper_hijackloader_luca-stealer_magniber.exe 84 PID 1476 wrote to memory of 2912 1476 2024-12-24_711ddbfbbd4e7e6e8d054371e3607b17_darkgate_datper_hijackloader_luca-stealer_magniber.exe 84 PID 1476 wrote to memory of 2912 1476 2024-12-24_711ddbfbbd4e7e6e8d054371e3607b17_darkgate_datper_hijackloader_luca-stealer_magniber.exe 84 PID 2912 wrote to memory of 948 2912 Synaptics.exe 85 PID 2912 wrote to memory of 948 2912 Synaptics.exe 85 PID 2912 wrote to memory of 948 2912 Synaptics.exe 85 PID 4920 wrote to memory of 5028 4920 ._cache_2024-12-24_711ddbfbbd4e7e6e8d054371e3607b17_darkgate_datper_hijackloader_luca-stealer_magniber.exe 86 PID 4920 wrote to memory of 5028 4920 ._cache_2024-12-24_711ddbfbbd4e7e6e8d054371e3607b17_darkgate_datper_hijackloader_luca-stealer_magniber.exe 86 PID 4920 wrote to memory of 5028 4920 ._cache_2024-12-24_711ddbfbbd4e7e6e8d054371e3607b17_darkgate_datper_hijackloader_luca-stealer_magniber.exe 86 PID 4920 wrote to memory of 5028 4920 ._cache_2024-12-24_711ddbfbbd4e7e6e8d054371e3607b17_darkgate_datper_hijackloader_luca-stealer_magniber.exe 86 PID 4920 wrote to memory of 5028 4920 ._cache_2024-12-24_711ddbfbbd4e7e6e8d054371e3607b17_darkgate_datper_hijackloader_luca-stealer_magniber.exe 86 PID 4920 wrote to memory of 5028 4920 ._cache_2024-12-24_711ddbfbbd4e7e6e8d054371e3607b17_darkgate_datper_hijackloader_luca-stealer_magniber.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-12-24_711ddbfbbd4e7e6e8d054371e3607b17_darkgate_datper_hijackloader_luca-stealer_magniber.exe"C:\Users\Admin\AppData\Local\Temp\2024-12-24_711ddbfbbd4e7e6e8d054371e3607b17_darkgate_datper_hijackloader_luca-stealer_magniber.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Users\Admin\AppData\Local\Temp\._cache_2024-12-24_711ddbfbbd4e7e6e8d054371e3607b17_darkgate_datper_hijackloader_luca-stealer_magniber.exe"C:\Users\Admin\AppData\Local\Temp\._cache_2024-12-24_711ddbfbbd4e7e6e8d054371e3607b17_darkgate_datper_hijackloader_luca-stealer_magniber.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Users\Admin\AppData\Local\Temp\local\stubexe\0x98F77DD3A34F5E0F\AIToolkit.exe"C:\Users\Admin\AppData\Local\Temp\local\stubexe\0x98F77DD3A34F5E0F\AIToolkit.exe" /864A627C-C6B2-464A-AA13-25D62F282BD83⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
PID:5028
-
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
PID:948
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4284
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
17.3MB
MD5711ddbfbbd4e7e6e8d054371e3607b17
SHA1e12617062882aaf0dfa9dc1c64085df0e7b6082b
SHA256fdc5bafb82ba9a28c76d7b94f7f80e7ca6c064f6c41e956c8f26f2a45f1f9ce6
SHA512c7a84ab16085ec75209443945695f293b0333c9c17d33797afcc278c5c8fe385e1d6a8e0e057e86cbe255147506e1bb133d39377cb2a9f266e43d849fb71d099
-
C:\Users\Admin\AppData\Local\Temp\._cache_2024-12-24_711ddbfbbd4e7e6e8d054371e3607b17_darkgate_datper_hijackloader_luca-stealer_magniber.exe
Filesize16.6MB
MD5c503271792c714ddb48dc57c0f3f1284
SHA190ecbf9e4391293ce27889af4b5c1efbab245787
SHA2565da2144022be29b220d300595056a712d95c7dbddd59bc2575a62fa86cc5f0db
SHA51235a595a96eb3f1b9c5ff033c4b48bd2fdb4ae9bd8ea1116c23b2284f263d6bb80b286627b9b228fe8574027ea359794031dba1c6717dde33068c4db137e6bcff
-
Filesize
32B
MD539d043628a55a85a8c4b9512106f2c13
SHA18ab14657371619f3cf77d62757df4ec05c378d16
SHA25638f8f84cc65e293ee600180b36d0b8035d3fd14fb31652ea45cf1f83b2715f2c
SHA512eeacbc9b01f041b9b940cf77eca5f22e14a8a8ea1b5d07e4953693e6443e16ef763f90398299feb057582a72506d90aeb2d972a45580ab30da27422a9f6b0d94
-
Filesize
5.1MB
MD54d9ed3a8b663a8efa7c28e1212241e6a
SHA12d1212099df78f6323f3253b12c316c383a6dbf4
SHA256c02e2302a69872886b18d85acb914d1376b31f9e80c2dd37f7e962f36212c8c2
SHA512f77d2e3d9fb8f5ad222e37334a42bf893a16967435b0cc8a0f04dde17d5cf69a69a8ff92d0abccdcf00ae0455897c8dd2c9b06a6c7ff8b42eeb6e6ad6a1b3c70
-
Filesize
32KB
MD57c78cd32d2f5e1ea65e95ec2f560e0bf
SHA1a728c324ddc795fa1b863eb43f25e1f820acba64
SHA2563a34a287819689abe2b82f6faf8d1033e3dc306b27781cac87a05c5438465c84
SHA512dc1b0640cb020374e4a59c314e05da82a55739fe069a371624c0e56d86df291b145f3cb1f68e0508c503c7dce506ffa2966f52f31f391d759badae54c7467915
-
C:\Users\Admin\AppData\Local\Temp\local\temp\@WINDIR@\XSxS\Manifests\AIToolkit.exe_0x4d9ed3a8b663a8efa7c28e1212241e6a.1.manifest
Filesize1KB
MD5435c27f4c465398ce3d80ece542f47d5
SHA165296b152b79b2f198efa663dc2f004665c1f362
SHA256ba8792c35d9de2027b3999e3a012ae03b1ed51ccd5cea5acdd8de279ceb63fed
SHA51259d499c832f102e78c484bb53fafa56ff4a1463b44274ad1de86c9c65e67a18b6cafcbff23e588bef0fb34996a2c776b1bdf324a3f84f6af7b367ada17b18028
-
Filesize
16B
MD5ec3d19e8e9b05d025cb56c2a98ead8e7
SHA1748532edeb86496c8efe5e2327501d89ec1f13df
SHA256edb7be3ef6098a1e24d0c72bbc6f968dea773951a0dd07b63bad6d9009ae3bf4
SHA512175fb8432472b6795bb5db0eba61bc7b57331720825df5b048f3086815ba844df4f7e83e42ff9e8fe5ab01700675a774cb916677953d6e0088ffbf1fa2775349
-
Filesize
17KB
MD58f3c7fbc1e051b36696dbd67e8ed4249
SHA1b6b3e8ff0aecce4e85ca9819cce2c9cce7a14c67
SHA2568a53a911752049160273f080c9631f519692de0aecd081b7b7c0239c5656f387
SHA5124ecb5f18cee44ef986845c49b2aa84c115180e277b866c4ebf9ccda94c0992cb2d2f8c0123ad0fb5558f63e0b37d6547f5e5971832ee44c55edd44521dd950a5